Why Personal Access Tokens?

Because they provide an easy way to work with our Content Management API, and are a widespread standard used across well-known organisations and services (such as Github, for example).

What’s the difference between tokens issued by an OAuth app and Personal Access tokens?

Inherently none, as both are tokens to access the Contentful Content Management API. They are both tied to the user who requested it, hence have access to the very same organisations, spaces and content as the token’s owner.

The difference is more conceptual: with OAuth, you authorize an app to talk to Contentful on your behalf, and might not ever see the credentials that the app uses; on the other hand, with Personal Access Tokens you are in charge of asking for the credentials to the API, and subsequently managing them.

When should I use an OAuth app and when should I prefer a Personal Access Token?

This highly varies depending on your use case. OAuth apps allow other users to authenticate against Contentful in order for your app to use the issued token as part of its process. Personal Access Tokens are personal, which means that they are tied to a single Contentful user account. This makes Personal Access Tokens good candidates for development, as well as automation purposes, when an application does only require a single Contentful account to manage content.

How can I get a Personal Access Token if I don’t have any Content Management Access token in the first place?

You need to get a Content Management API token from the Contentful Web App. You can request it in the API section.

Should I secure these tokens? How?

Content Management API tokens are just like passwords. Anyone getting it could use it to use Contentful on your behalf so you should make your best to protect them. Typical measure you would need to take include referring to environment variables as much as possible, and adding to your VCS ignore list any file where a token is mentioned to ensure such couldn’t be leaked.